Merge pull request #43 from x-delfino/code_tabs

Adding support for Code Tabs and improvements on Azure Storage page
WithSecureLabs · Oct 10, 2022 · 2d9e81e · 2d9e81e
2 parents f67c4c6 + 12d1cba
commit 2d9e81e
Show file tree

Hide file tree

Showing 2 changed files with 105 additions and 10 deletions.
diff --git a/.../azure/services/Azure_Storage_Accounts.md → docs/azure/services/azure_storage.md b/.../azure/services/Azure_Storage_Accounts.md → docs/azure/services/azure_storage.md
@@ -1,3 +1,6 @@
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
 # Azure Storage
 ## Overview
 When looking at storage of data in Azure, we have 3 main categories:
@@ -129,11 +132,18 @@ Authorization="[SharedKey|SharedKeyLite] <AccountName>:<Signature>"
 
 It's important to know that you actually have 2 access keys associated with each Storage Account. The reason for this is to facilitate key rotation, a process that should be completed periodically to mitigate the impact in the instance of key compromise. This process is typically done by migrating apps or services to use the secondary key, allowing for the primary key to be regenerated. The same process is then repeated when needing to change the secondary key. Due to this key rotation process, it is necessary to clearly track access key usage to allow for key rotation without impacting services or applications.
 
-Rotation can be checked by looking at the activity logs, which log every action of interest. For instance, if there's not been an event related to "rotation" in the last 90 days, then it's unlikely that the keys are being rotated:
+Rotation can be checked by looking at the activity logs, which log every action of interest. For instance, if there's not been a key rotation event in the last 90 days, then it's unlikely that the keys are being rotated:
+
+<Tabs>
+  <TabItem value="az" label="Azure CLI">
+
 ```bash
-az monitor activity-log list -g <resourceGroup> --offset 90d | grep -i "rotate"
+az monitor activity-log list --offset 90d --query "[?authorization.action=='Microsoft.Storage/storageAccounts/regenerateKey/action'].{Action:authorization.action, resourceId:resourceId, at:eventTimestamp, by:caller}"
 ```
 
+  </TabItem>
+</Tabs>
+
 Storage Account Keys are typically enticing to attackers as they provide a means of accessing storage resources without multifactor authentication, and without key expiry (except in the instance of key rotation as outlined above). These keys are also often insecurely stored in source code, with common indicators and areas to check being:
   * Usage of the StorageCredentials class
   * URIs on the `.core.windows.net` domain (SAS tokens)
@@ -194,7 +204,10 @@ These combinations of service-level permissions, and Storage Account-level ones,
 - Want publicly accessible files in different directories? Put them in a Storage Account with "public access" enabled, and into a Blob container with access permissions set to "Container" - fully open;
 - Want to only allow anonymous access to specific files, but not everything? Put them into a Storage Account with "public access" enabled, but the access control for the Container holding them set to "Blob"; any other containers should be set to be "Private";
 
-To check the public access setting for all containers in a Storage Account (PowerShell):
+To check the public access setting for all containers in a Storage Account:
+
+<Tabs>
+  <TabItem value="posh" label="PowerShell">
 
 ```powershell
 $storageAccount = Get-AzStorageAccount -ResourceGroupName <resourcegroup-name> -Name <storageaccount-name>
@@ -203,6 +216,9 @@ $ctx = $storageAccount.Context
 Get-AzStorageContainer -Context $ctx | Select Name, PublicAccess
 ```
 
+  </TabItem>
+</Tabs>
+
 Due to the lack of authorisation requirements enforced in anonymous access, it is vital that anonymous access is only permitted for blobs and containers that do not contain sensitive information, and explicitly require anonymous access to satisfy intended usage requirements.
 
 More information about blob anonymous access can be found [here](https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure).
@@ -219,33 +235,55 @@ Encryption <u>at rest</u> is done by default with a MS-managed key
 Controls that are commonly insecurely configured include: 
 
 #### Is encryption at rest enforced?
-PowerShell:
+
+<Tabs>
+  <TabItem value="posh" label="PowerShell">
+
 ```powershell
 (Get-AzResource -ResourceGroupName <resourcegroup-name> -ResourceType Microsoft.Storage/storageAccounts -Name <storageaccount-name>).Properties.encryption | ConvertTo-Json
 ```
 
+  </TabItem>
+</Tabs>
+
 #### Are HTTPS-only connections enforced?
-PowerShell:
+
+<Tabs>
+  <TabItem value="posh" label="PowerShell">
+
 ```powershell
 Get-AzStorageAccount -Name <storageaccount-name> -ResourceGroupName <resourcegroup-name> | Select-Object StorageAccountName, EnableHttpsTrafficOnly
 ```
 
-Az CLI:
+  </TabItem>
+  <TabItem value="az" label="Azure CLI">
+
 ```bash
-az storage account list --query [*].[name,enableHttpsTrafficOnly] -o table --subscription <subcription>; 
+az storage account list --query [*].[name,enableHttpsTrafficOnly] -o table --subscription <subscription>; 
 ```
 
+  </TabItem>
+</Tabs>
+
 #### Are insecure TLS versions permitted?
-PowerShell:
+
+<Tabs>
+  <TabItem value="posh" label="PowerShell">
+
 ```powershell
 Get-AzStorageAccount -Name <storageaccount-name> -ResourceGroupName <resourcegroup-name> | Select-Object StorageAccountName, MinimumTlsVersion
 ```
 
-Az CLI:
+  </TabItem>
+  <TabItem value="az" label="Azure CLI">
+
 ```bash
-az storage account list --query '[].{name: name, resourceGroup: resourceGroup, minimumTlsVersion: minimumTlsVersion}' --subscription <subscription> -o tsv;
+az storage account list --query '[].{name: name, resourceGroup: resourceGroup, minimumTlsVersion: minimumTlsVersion}' --subscription <subscription> -o table;
 ```
 
+  </TabItem>
+</Tabs>
+
 More information be found at the following locations:
   * [Encryption at rest](https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption)
   * [TLS](https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version)

diff --git a/src/pages/contributing.md b/src/pages/contributing.md
@@ -1,6 +1,8 @@
 # Contributing
 
 import Link from '@docusaurus/Link';
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
 
 Thank you for considering contributing to this knowledge base! We welcome all input from the community.  If you'd like to contribute but aren't sure where to start, pick an open issue from the GitHub repository on a topic you know something about and begin work there. Alternatively, if you see a page that needs improvement or want to add a new one all together then please go right ahead!
 
@@ -92,3 +94,58 @@ Check the pages for [Azure MFA](/azure/services/azure_mfa) and [Azure AD](/azure
 * The latter is a bit less descriptive and it's even more bullet-to-the-pointy, yet also conveying the idea of structure that we're aiming at
 
 For an idea of a complete article of the "minimalistic" kind, have a look at [AWS CloudTrail](/aws/services/CloudTrail) instead. This shows the minimum info we should aim at having in an article that's not _that_ big requiring too much explanation.
+
+### Code Tabs Usage
+
+This Wiki supports [Tabs](https://docusaurus.io/docs/markdown-features/tabs) which provide a great way to format code examples for different languages. Usage is nice and simple and ends up with an object looking like this:
+
+<Tabs>
+  <TabItem value="bash" label="bash">
+
+```bash
+printf "Cloud Wiki"
+```
+
+  </TabItem>
+  <TabItem value="posh" label="PowerShell">
+
+```powershell
+Write-Host "Cloud Wiki"
+```
+
+  </TabItem>
+</Tabs>
+
+
+First you'll need to import the required components by placing this at the top of your markdown page:
+
+```javascript
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+```
+
+Then we can build the tab object. A couple of things to bear in mind:
+- The `label` is the value that will appear as the tab name.
+- The blank line before and after the code block within the `TabItem` is required.
+- Don't indent your code block (the code block itself, you can indent code within the block as required).
+
+``````markdown
+<Tabs>
+  <TabItem value="bash" label="bash">
+
+```bash
+printf "Cloud Wiki"
+```
+
+  </TabItem>
+  <TabItem value="posh" label="PowerShell">
+
+```powershell
+Write-Host "Cloud Wiki"
+```
+
+  </TabItem>
+</Tabs>
+``````
+
+For more examples, you can check the [Azure Storage](/azure/services/azure_storage) page.